gfwleak/tango-tsg-container
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

更新 TFE 安装包/配置 -- by luwenpeng

Browse Source
This commit is contained in:
fumingwei
2021-03-25 11:09:02 +08:00
parent 52bde4d275
commit f8b6a40925
11 changed files with 299 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
tfe_sysctl.conf → 80-tfe.conf
View File

271
config/tfe/resource/pangu/pangu_http.json Normal file
View File

@@ -0,0 +1,271 @@
{
"compile_table": "PXY_CTRL_COMPILE",
"group2compile_table": "GROUP_COMPILE_RELATION",
"group2group_table": "GROUP_GROUP_RELATION",
"rules": [
{
"compile_id": 1021,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_url",
"not_flag":0,
"regions": [
{
"table_name": "TSG_OBJ_URL",
"table_type": "string",
"table_content": {
"keywords": "baidu.com",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1022,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_3\",\"device_4\"]}]]}",
"user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_url",
"virtual_table":"TSG_FIELD_HTTP_URL",
"not_flag":0
}
]
},
{
"compile_id": 1023,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"邮箱\",\"replace_with\":\"test\"}]}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_fqdn",
"not_flag":0,
"regions": [
{
"table_name": "TSG_OBJ_FQDN",
"table_type": "string",
"table_content": {
"keywords": "www.126.com",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1024,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region":"{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"大师\",\"replace_with\":\"小小\"}]}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_fqdn",
"virtual_table":"TSG_FIELD_HTTP_HOST",
"not_flag":0
}
]
},
{
"compile_id": 1025,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"会员\",\"replace_with\":\"用户\"}]}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_fqdn",
"virtual_table":"TSG_FIELD_DOH_QNAME",
"not_flag":0
}
]
},
{
"compile_id": 1026,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\"}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_signature_ua",
"not_flag":0,
"regions": [
{
"table_name": "TSG_OBJ_HTTP_SIGNATURE",
"table_type": "expr_plus",
"table_content": {
"district": "User-Agent",
"keywords": "Chrome",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
},
{
"group_name":"http_signature_cookie",
"not_flag":0,
"regions": [
{
"table_name": "TSG_OBJ_HTTP_SIGNATURE",
"table_type": "expr_plus",
"table_content": {
"district": "Cookie",
"keywords": "uid=12345678",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1027,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "test",
"is_valid": "yes",
"groups": [
{
"group_name":"http_url_bing",
"not_flag":0,
"regions": [
{
"table_name": "TSG_OBJ_URL",
"table_type": "string",
"table_content": {
"keywords": "bing.com",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1028,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\"}",
"is_valid": "yes",
"groups": [
{
"group_name":"http_signature_ua",
"virtual_table":"TSG_FIELD_HTTP_REQ_HDR",
"not_flag":0
},
{
"group_name":"http_url_bing",
"virtual_table":"TSG_FIELD_HTTP_URL",
"not_flag":0
},
{
"group_name":"app_id",
"not_flag":0,
"regions": [
{
"table_name": "TSG_OBJ_APP_ID",
"table_type": "string",
"table_content": {
"keywords": "http.",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
}
],
"plugin_table": [
{
"table_name": "TSG_PROFILE_RESPONSE_PAGES",
"table_content": [
"101\t404\thtml\t./resource/pangu/policy_file/404.html\t1"
]
},
{
"table_name": "PXY_PROFILE_HIJACK_FILES",
"table_content": [
"201\tchakanqi\tchakanqi-947KB.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/chakanqi-947KB.exe\t1"
]
},
{
"table_name": "PXY_PROFILE_INSERT_SCRIPTS",
"table_content": [
"301\ttime\tjs\t./resource/pangu/policy_file/time.js\tbefore_page_load\t1"
]
},
{
"table_name": "TSG_PROFILE_DECRYPTION",
"table_content": [
"0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"pass-through\"}}\t1",
"3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1",
"4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
]
},
{
"table_name": "TSG_SECURITY_COMPILE",
"table_content": [
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"decrypt_mirror\":{\"enable\":0}}\t1\t2",
"7\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"decrypt_mirror\":{\"enable\":0}}\t1\t2"
]
},
{
"table_name": "PXY_SSL_FINGERPRINT",
"table_content": [
"1\t599f223c2c9ee5702f5762913889dc21\t0\t1",
"2\teb149984fc9c44d85ed7f12c90d818be\t1\t0",
"3\te6573e91e6eb777c0933c5b8f97f10cd\t1\t1"
]
}
]
}

2
config/tfe/tfe/tfe.conf
View File

@@ -16,7 +16,7 @@ breakpad_minidump_dir=/run/tfe/crashreport
# the first mask for acceptor thread # the first mask for acceptor thread
# the others mask for worker thread # the others mask for worker thread
enable_cpu_affinity=1 enable_cpu_affinity=1
cpu_affinity_mask=1-9 cpu_affinity_mask=11-19
# LEAST_CONN = 0; ROUND_ROBIN = 1 # LEAST_CONN = 0; ROUND_ROBIN = 1
load_balance=1 load_balance=1

1
docker-compose.yml
View File

@@ -38,4 +38,5 @@ services:
- ./config/tfe/tfe/future.conf:/opt/tsg/tfe/conf/tfe/future.conf - ./config/tfe/tfe/future.conf:/opt/tsg/tfe/conf/tfe/future.conf
- ./config/tfe/tfe/tfe.conf:/opt/tsg/tfe/conf/tfe/tfe.conf - ./config/tfe/tfe/tfe.conf:/opt/tsg/tfe/conf/tfe/tfe.conf
- ./config/tfe/tfe/zlog.conf:/opt/tsg/tfe/conf/tfe/zlog.conf - ./config/tfe/tfe/zlog.conf:/opt/tsg/tfe/conf/tfe/zlog.conf
- ./config/tfe/resource/pangu/pangu_http.json:/opt/tsg/tfe/resource/pangu/pangu_http.json
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro

9
dockerfile/tfe/Dockerfile
View File

@@ -39,9 +39,10 @@ RUN yum install -y \
&& pip3 install supervisor \ && pip3 install supervisor \
&& yum clean all && yum clean all
COPY tfe-env.sh /opt/tsg/tfe/ COPY tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm /tmp/
COPY tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm /root/ COPY tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm /tmp/
RUN rpm -ivh /root/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm && chmod o+x /opt/tsg/tfe/tfe-env.sh RUN rpm -ivh /tmp/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm && rpm -ivh /tmp/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm
COPY supervisord.conf /etc/supervisord/ COPY supervisord.conf /etc/supervisord/
WORKDIR /opt/tsg/tfe/ WORKDIR /opt/tsg/tfe/
@@ -49,4 +50,4 @@ WORKDIR /opt/tsg/tfe/
ENTRYPOINT ["/usr/local/bin/supervisord", "-n", "-c", "/etc/supervisord/supervisord.conf"] ENTRYPOINT ["/usr/local/bin/supervisord", "-n", "-c", "/etc/supervisord/supervisord.conf"]
# docker run -it --cap-add=NET_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --device /dev/net/tun:/dev/net/tun tfe:v1 /bin/bash # docker run -it --cap-add=NET_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --device /dev/net/tun:/dev/net/tun tfe:v1 /bin/bash
# supervisorctl -c /etc/supervisord/supervisord.conf status # supervisorctl -c /etc/supervisord/supervisord.conf status

BIN
dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm
View File

Binary file not shown.

BIN
dockerfile/tfe/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm Normal file
View File

Binary file not shown.

BIN
dockerfile/tfe/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm Normal file
View File

Binary file not shown.

108
dockerfile/tfe/tfe-env.sh
View File

@@ -1,108 +0,0 @@
#!/bin/bash
INCOMING_DEVICE=tun_kni
LOCAL_MAC_ADDR=fe:65:b7:00:00:01
PEER_MAC_ADDR=aa:bb:cc:dd:ee:ff
LOCAL_IP_ADDR=172.16.241.2
PEER_IP_ADDR=172.16.241.1
start_fun()
{
# 创建虚拟网卡
/usr/sbin/ip tuntap add dev ${INCOMING_DEVICE} mode tun one_queue
# 设置网卡的 MAC
/usr/sbin/ip link set ${INCOMING_DEVICE} address ${LOCAL_MAC_ADDR}
# 设置网卡的状态
/usr/sbin/ip link set ${INCOMING_DEVICE} up
/usr/sbin/ip addr flush dev ${INCOMING_DEVICE}
# 设置网卡的 IPv4 地址
/usr/sbin/ip addr add ${LOCAL_IP_ADDR}/30 dev ${INCOMING_DEVICE}
# 刷新网卡的 ARP
# /usr/sbin/ip neigh flush dev ${INCOMING_DEVICE}
# 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中
#/usr/sbin/ip neigh add ${PEER_IP_ADDR} lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent
###########################################################################
# policy route v4
###########################################################################
# 流入的流量走 100 号路由表
/usr/sbin/ip rule add iif ${INCOMING_DEVICE} tab 100
/usr/sbin/ip route add local default dev lo table 100
# 流出的带 0x65 的流量走 101 号路由表
/usr/sbin/ip rule add fwmark 0x65 lookup 101
/usr/sbin/ip route add default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101
###########################################################################
# policy route v6
###########################################################################
# 设置网卡的 IPv6 地址
/usr/sbin/ip addr add fd00::02/64 dev ${INCOMING_DEVICE}
/usr/sbin/ip -6 route add default via fd00::01
# 流入的流量走 102 号路由表
/usr/sbin/ip -6 rule add iif ${INCOMING_DEVICE} tab 102
/usr/sbin/ip -6 route add local default dev lo table 102
# 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中
#/usr/sbin/ip -6 neigh add fd00::01 lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent
###########################################################################
# iptables netfilter
###########################################################################
iptables -A INPUT -i ${INCOMING_DEVICE} -m bpf --bytecode '14,48 0 0 0,84 0 0 240,21 0 10 64,48 0 0 9,21 0 8 6,40 0 0 6,69 6 0 8191,177 0 0 0,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
}
stop_fun()
{
iptables -F
/usr/sbin/ip rule del iif ${INCOMING_DEVICE} tab 100
/usr/sbin/ip route del local default dev lo table 100
/usr/sbin/ip rule del fwmark 0x65 lookup 101
/usr/sbin/ip route del default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101
/usr/sbin/ip -6 rule del iif ${INCOMING_DEVICE} tab 102
/usr/sbin/ip -6 route del default via fd00::01
/usr/sbin/ip -6 route del local default dev lo table 102
/usr/sbin/ip addr del fd00::02/64 dev ${INCOMING_DEVICE}
/usr/sbin/ip link set ${INCOMING_DEVICE} down
# 删除虚拟网卡
/usr/sbin/ip tuntap del dev ${INCOMING_DEVICE} mode tap
}
status_fun()
{
iptables -L
}
case "$1" in
start)
start_fun
;;
stop)
stop_fun
;;
restart)
stop_fun
start_fun
;;
status)
status_fun
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
esac
exit 0

4
init_tfe_env.sh
View File

@@ -19,7 +19,7 @@ dockerrmf ()
docker rm `docker ps --no-trunc -aq` docker rm `docker ps --no-trunc -aq`
} }
cp tfe_sysctl.conf /etc/sysctl.d/ cp 80-tfe.conf /etc/sysctl.d/
sysctl -p /etc/sysctl.d/tfe_sysctl.conf sysctl -p /etc/sysctl.d/tfe_sysctl.conf
#dockerrmf #dockerrmf
@@ -76,4 +76,4 @@ echo "================ run 'iptables' in container ================"
ip netns exec ${container} iptables -L ip netns exec ${container} iptables -L
echo "================ run 'ping' in container ================" echo "================ run 'ping' in container ================"
ip netns exec ${container} ping -c10 ${PEER_IP} ip netns exec ${container} ping -c5 ${PEER_IP}

19
restart_vpp_sapp_tfe.sh Executable file
View File

@@ -0,0 +1,19 @@
#!bin/bash
# work dir
cd /root/tsg_container
# stop sapp tfe vpp
docker-compose down
systemctl stop vpp
# start vpp sapp tfe
systemctl start vpp
sleep 5
docker-compose up >> restart.log &
sleep 3
# start tfe env
sh init_tfe_env.sh
cd -